Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: winecooler on September 12, 2013, 06:12:40 PM
-
I'm having the issue where I get the ssl error constantly on my console. So to fix it I'm following the instructions in the wiki here (http://wiki.contribs.org/Certificates_Concepts#Expiration_time_of_the_self_signed_certificate). The first step tells me to do this:
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
However, there is no /home in the templates-custom folder. The only folder in there is /etc. Do I create a /home/e-smith folder or is there something else seriously wrong that I need to address first?
thanks!
-
mkdir -p /etc/e-smith/templates-custom/home/e-smith/continue the how to after that
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
-
Okay I created the folder successfully, confirmed it was there. Then continued along with the instructions to fix the certificate errors (here (http://wiki.contribs.org/Certificates_Concepts#Expiration_time_of_the_self_signed_certificate)).
I edited ssl.crt to extend it to 5 years, saved the file, confirmed it was set to the new value. I removed the 3 files specified (actually there were none in there anyhow). BTW, I don't see how removing 3 files will "force sme server to immediately create a new self signed certificate." I ran a post-upgrade and reboot afterwards.
The errors are still continuing. When I look in /home/e-smith/ssl.crt/ it is empty. Was the post-upgrade supposed to generate a new cert?
-
What error exactly do you get?
-
Syntax error on line 134 of /etc/httpd/conf/httpd.conf:
SSLCertificate:file ' /home/e-smith/ssl.crt/server.domain.crt' does not exist or is empty
-
BTW, I don't see how removing 3 files will "force sme server to immediately create a new self signed certificate."
"immediate" is incorrect.
I ran a post-upgrade and reboot afterwards.
That should create a new certificate.
-
signal-event console-save
signal-event post-upgrade
signal-event reboot
Try that sequence.
-
I did that sequence and same result, there is nothing in /home/e-smith/ssl.crt/
-
winecooler
Please do the following & show us the output
cd /home/e-smith
ls -al
cd /home/e-smith/ssl.crt
ls -al
cd /home/e-smith/ssl.key
ls -al
cd /home/e-smith/ssl.pem
ls -al
cd /etc/e-smith/templates/home/e-smith
ls -al
cp /etc/e-smith/templates-custom/home/e-smith
ls -al
also
config show modSSL
-
okay i just took pictures, hope that's okay - here (http://minus.com/mbuliA48P7ERVo)
some pics have multiple ls'
-
I edited ssl.crt to extend it to 5 years, saved the file, ...
I recommend you delete that custom template file and follow the reconfiguration steps to generate a new standard certificate file. You don't need 5 years - SME server will generate a new certificate file before the old one expires.
I suspect whatever customisation you made isn't working quite right. If so, you may see error messages in /var/log/messages during attempted template expansion.
-
winecooler
As Charlie says remove the custom template & reset the certificate.
Do:
rm /etc/e-smith/templates-custom/home/e-smith/ssl.crt
rmdir /etc/e-smith/templates-custom/home/e-smith
Then to reset the self signed certificate to standard do:
rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot
That comes from
http://wiki.contribs.org/Certificates_Concepts#Expiration_time_of_the_self_signed_certificate
Let us know the outcome.
Once you get a standard certificate working & you know it's right, you can then make any custom template changes you want to.
From your photos:
ls -al /home/e-smith/ssl.crt
That is empty which is not a good thing !
It matches your error:
Syntax error on line 134 of /etc/httpd/conf/httpd.conf:
SSLCertificate:file ' /home/e-smith/ssl.crt/server.domain.crt' does not exist or is empty
It should have had a file in there with a name like
backup.titqet.local.crt
When reset it will follow the name of your server & the main domain name.
-
CharlieBrady
You don't need 5 years - SME server will generate a new certificate file before the old one expires.
Yes, but....
I'm sure you know this so for the benefit of others who don't, when the annual auto renewal happens, users who have put the self signed certificate into their browser etc, will get a warning message as the regenerated certificate is untrusted.
This causes "drama" as users get worried about these scary warnings & do not know or forget how to add the self signed certificate back into their browsers trusted root certificate list.
So a longer validity period removes this issue from happening annually, to every 5 years (or whatever validity period is chosen).
It does not remove the issue, but reduces the frequency of it happening.
-
Hi janet, okay I followed those last instructions and the errors have gone. there is a cert there now. BTW would you mind removing the real domain name text from your post? don't need it searchable, thanks, just use "domain" or some such.
Thanks again!